Blog — Pallets Projecturn:uuid:e0ae4c35-8528-3f02-a39f-68a08a689c002019-01-29T00:00:00ZWerkzeugTake the Pallets / Flask Community Surveyurn:uuid:051bf101-8bff-345d-9e4b-aadd0b219d122019-01-29T00:00:00ZDavid Lord<p>One of my goals as a Pallets maintainer is to build the community around our projects. The Pallets projects (Flask, Jinja, Click, etc.) are downloaded millions of times each month, but it's hard to get a clear picture of what our users do and want with downloads stats only. We'd like to learn about you and your projects. Knowing more about our community will help us decide what to focus on to grow the Pallets projects.</p>
<p><a href="https://goo.gl/forms/CtZrOgWUa8gy1FNz2"><strong>Click here to take our Community Survey.</strong></a></p>
<p>Please share the link with friends, coworkers, and the internet! We're looking forward to seeing everyone's responses! You can follow <a href="https://twitter.com/PalletsTeam">https://twitter.com/PalletsTeam</a> or this blog to get updates about Pallets, including the survey results.</p>
MarkupSafe 1.1.0 Releasedurn:uuid:a5285741-67a9-37cf-b916-a0572a8018ff2018-11-05T00:00:00ZDavid Lord<p><a href="https://markupsafe.palletsprojects.com/en/1.1.x/changes/">Changelog</a></p>
<ul>
<li>Dropped support for Python 2.6 and 3.3.</li>
<li>Using newer CPython APIs gave the C extension a 1.5x speedup on Python 3. Python 2 will still get the same speed as before, but you should consider upgrading if possible.</li>
<li>The <code>escape</code> function uses the <code>__html__</code> method on an object if it's available. It will now ensure that result is wrapped in the <code>Markup</code> class, for consistency with other behavior.</li>
</ul>
<h2 id="platform-wheels">Platform Wheels</h2><p>Installing from PyPI with pip will now install a precompiled wheel if available. Wheels have been compiled for supported CPython versions on Linux, Mac, and Windows.</p>
<p>MarkupSafe comes with a C extension that adds a significant speedup to escaping. However, if a compiler or headers aren't available, the install will fall back to a native Python implementation. Previously, the user would see no indication that they didn't get the speedups, or would see confusing error messages even though the install succeeded. Now, many more users will be able to take advantage of the speedups provided by MarkupSafe without extra configuration.</p>
<h2 id="documentation">Documentation</h2><p>Full documentation has been added in place of the previous README. It is available through Read the Docs at <a href="https://markupsafe.palletsprojects.com/">https://markupsafe.palletsprojects.com/</a>.</p>
<h2 id="install-or-upgrade">Install or Upgrade</h2><p>Install from <a href="https://pypi.org/project/MarkupSafe">PyPI</a> with pip:</p>
<pre><code>pip install -U itsdangerous
</code></pre>
<h2 id="donate">Donate</h2><p>We accept donations through the Python Software Foundation in order to support our efforts to maintain the projects and grow the community. <a href="/donate">Click here to donate.</a></p>
itsdangerous 1.1.0 Releasedurn:uuid:c94735cd-a308-338e-b574-52b0dfd82c782018-10-26T00:00:00ZDavid Lord<p>itsdangerous 1.1.0 has been released to fix compatibility issues that were affecting projects while upgrading. Due to these issues, we had to make a quick decision and pull itsdangerous 1.0.0 from PyPI earlier today to prevent more projects from being affected. We appologize for the difficulty this caused, and the changes in this release should address compatibilty going forward.</p>
<p>1.0.0 changed the default digest algorithm from SHA-1 to SHA-512. SHA-1 as used by itsdangerous was never suceptible to the collision issue published last year, but the change was made for peace of mind. However, this change invalidated existing signatures that were in use.</p>
<p>To address this, 1.1.0 reverts the default digest to SHA-1. It also adds a fallback mechanism to try other algorithms when unsigning. This gives projects a safe way to upgrade signing parameters in the future, while still supporting existing signatures during the upgrade period. A default fallback for SHA-512 was added to support projects that were already affected by the 1.0.0 version. 1.1.0 is therefore compatible with both 0.24 and 1.0.0, so upgrading should be safe in either case.</p>
<p>Additionally, we reverted a change to the project name in setup.py. 1.0.0 changed the capitalization from "itsdangerous" to "ItsDangerous", but this caused issues with some systems. The name will remain as "itsdangerous".</p>
<p>We appologize again for the issues and thank everyone in the community who contributed to the discussion.</p>
<h2 id="upgrade">Upgrade</h2><p>Install from <a href="https://pypi.org/project/itsdangerous">PyPI</a> with pip:</p>
<pre><code>pip install -U itsdangerous
</code></pre>
It's Dangerous 1.0.0 Releasedurn:uuid:e20dc4d8-4190-373e-a99c-6f26a268045f2018-10-18T00:00:00ZDavid Lord<p>It's Dangerous 1.0.0 has been released. See the <a href="https://itsdangerous.palletsprojects.com/en/1.0.x/changes/#version-1-0-0">changelog</a> for a list of changes since the last release on 2014-03-28.</p>
<p>It's Dangerous provides secure message signing and serialization. Without the secret key used to sign a message, the content cannot be changed without invalidating the signature. This allows, for example, Flask to store information in a session cookie that is transmitted over public networks, and be sure that the data has not been tampered with when loading a subsequent request.</p>
<h2 id="install-or-upgrade">Install or Upgrade</h2><p>Install from <a href="https://pypi.org/project/ItsDangerous">PyPI</a> with pip:</p>
<pre><code>pip install -U ItsDangerous
</code></pre>
<h2 id="imports-will-change">Imports will change</h2><p>Previously, It's Dangerous was a single Python module with about 1000 lines of code. The project has been reorganized as a package with submodules, which will make the code easier to navigate going forward.</p>
<p>However, this means that <em>everything</em> that It's Dangerous imported or defined used to be importable from <code>itsdangerous</code>. With the reorganization, only the public API is importable from <code>itsdangerous</code>. To ease transition, "public" was defined as any name that was previously documented in the API section. These compatibility imports will be deprecated and removed in future releases. If you were importing undocumented names, you'll need to import them from the correct submodule now.</p>
<h2 id="read-the-docs">Read the Docs</h2><p>It's Dangerous has moved its docs to Read the Docs. The new URL for the docs is <a href="https://itsdangerous.palletsprojects.com/">https://itsdangerous.palletsprojects.com/</a>.</p>
<p>The docs were previously hosted on PyPI's docs site (<code>pythonhosted.org/itsdangerous</code>), but this site has been deprecated and it is no longer possible to upload new docs there. Unfortunately, due to the deprecation, there is no way to add a redirect to the new docs. As of this release, any URLs pointing to the old site will break.</p>
<h2 id="get-involved">Get Involved</h2><p>The Pallets team depends on you, the community, to help keep our projects sustainable. Whether you report issues, write documentation, create patches, or answer questions, we appreciate all the help you provide. <a href="https://github.com/pallets/click">Star the project on GitHub</a> to show support, and <a href="https://help.github.com/articles/watching-and-unwatching-repositories/">watch</a> the repository to see discussions and pull requests as they happen.</p>
<h2 id="donate">Donate</h2><p>We accept donations through the Python Software Foundation in order to support our efforts to maintain the projects and grow the community. <a href="/donate"><strong>Click here to donate.</strong></a></p>
Click 7.0 Releasedurn:uuid:5eb6d491-d12c-3196-9641-49ad91873ec72018-09-25T00:00:00ZDavid Lord<p>The Pallets team is pleased to release Click 7.0. Thank you to everyone who contributed online and in person at the PyCon US 2018 sprint! With the help of the community as well as some new maintainers, we've managed to resolve hundreds of long standing issues and pull requests.</p>
<p>Due to the length of time since the last release, there are a significant number of new features and fixes. <a href="https://click.palletsprojects.com/en/master/changelog/#version-7-0">Check out the changelog</a> for a list of all code changes and links to the relevant issues. Changes include:</p>
<ul>
<li>Shell autocompletion has improved in a number of areas.<ul>
<li>Native ZSH completion was added, and supports its enhanced parameter documentation.</li>
<li>The choice type can be completed.</li>
<li>Completion correctly handles chained commands, spaces, defaults, and partial completions.</li>
<li>Parameters can provide a callback to customize completion.</li>
</ul>
</li>
<li>On Windows <code>click.echo</code> can now output more than 16k characters in one call. On Windows 7, a 64k limit on binary stream output is also worked around.</li>
<li><code>click.getchar</code> returns Unicode on Windows.</li>
<li>When piping input and output, more cases of closed pipes are detected and handled instead of raising errors.</li>
<li>The <code>CliRunner</code> used for testing separates stdout and stderr.</li>
<li>New <code>DateTime</code> and <code>FloatRange</code> parameter types.</li>
<li>Flags to mark a parameter as hidden or deprecated.</li>
<li>Numerouse improvements and fixes to i/o, help, parameters, and testing.</li>
</ul>
<h2 id="read-the-docs">Read the Docs</h2><p>Click is the first Pallets project to move its docs to Read the Docs. Our projects currently use a custom builder and hosting, but this became too difficult with limited maintainer time. Thank you to everyone at RTD who helped with the transition!</p>
<p>The new URL for the docs is <a href="https://click.palletsprojects.com/">https://click.palletsprojects.com/</a>. The old <a href="http://click.pocoo.org/">http://click.pocoo.org/</a> domain will redirect to the new one while we continue to migrate, but will eventually go away. Please use the new URL going forward.</p>
<p>Click's docs use a custom Sphinx theme and extensions. As part of the move, these were extracted to a separate Python package. Install <a href="https://pypi.org/project/Pallets-Sphinx-Themes">Pallets-Sphinx-Themes</a> to use Click's theme when writing extensions for a more cohesive look.</p>
<h2 id="install-or-upgrade">Install or Upgrade</h2><p>Install from <a href="https://pypi.org/project/Click">PyPI</a> with pip:</p>
<pre><code>pip install -U Click
</code></pre>
<h2 id="get-involved">Get Involved</h2><p>Click and the Pallets team depends on you, the community. Whether you report issues, write documentation, create patches, or answer questions, we appreciate all the help you provide. <a href="https://github.com/pallets/click">Star the project on GitHub</a> to show support, and <a href="https://help.github.com/articles/watching-and-unwatching-repositories/">watch</a> the repository to see discussions and pull requests as they happen.</p>
<h2 id="donate">Donate</h2><p>We now accept donations through the Python Software Foundation in order to support our efforts to maintain the projects and grow the community. <a href="/donate"><strong>Click here to donate.</strong></a></p>
PyCon and Adding Maintainers to Clickurn:uuid:f576eecd-6d16-3cb7-992f-4aff301b45272018-06-01T00:00:00ZDavid Lord<p>In May I attended PyCon US 2018 in Cleveland, Ohio. It's a great opportunity to meet people interested in the Pallets projects and Python web applications. It can be a little intimidating, but also a lot of fun. The biggest difficulty is that there are <em>too many</em> things to do, and I always wish everyone could have a few more days together.</p>
<p>During the main conference, while talks are happening, anyone can organize "open spaces," impromptu meetings for any topic. I organized a Pallets open space, and we had a huge turnout. I was kind of unprepared for the size, so we started with people asking me questions, and then split up into tables for new users, Flask, Click, and Jinja.</p>
<p><img src="/blog/pycon-2018-click/open-space-board.jpg" alt="Open space announcement"></p>
<p>For up to four days after the talks, developers get together for sprints, working together to contribute to Python open source projects. Experienced developers help new ones learn how to contribute, and everyone gets to learn about new projects and meet the developers behind them.</p>
<p><img src="/blog/pycon-2018-click/open-space.jpg" alt="Pallets open space"></p>
<p>At the open space, I had mentioned that no one had really been maintaining Click for the past year. It turns out a <em>lot</em> of people use Click. They came motivated from the open space to contribute during the sprint. Some were new to contributing, but they all had one thing in common: they knew how Click was being used more than I did! So I took a chance and gave them all write permissions to the repository. Click started at ~250 open issues and 68 pull requests. After 2 days, it was at 140 issues and 22 pull requests. Wow! With that success, I'm officially welcoming all these new maintainers to the Pallets Click team. While Click stole the show, we had great contributions to Werkzeug, Flask, and Jinja as well.</p>
<p><img src="/blog/pycon-2018-click/sprint-dinner.jpg" alt="Dinner with Pallets sprinters"></p>
<p>If you want to get involved, a great way is to <a href="https://help.github.com/articles/watching-and-unwatching-repositories/">watch our repositories on GitHub</a>. You'll get notifications for each issue, so you can see what's happening and start contributing. You can help by triaging issues, improving tests and documentation, and fixing bugs. If your company uses a Pallets project like Flask, Click, or Jinja, consider pointing them to our <a href="https://www.palletsprojects.com/donate">PSF donation page</a>. Donations will help get maintainers to more events so we can do more sprints like this one. Thank you to everyone at PyCon and in the community for making Pallets a success!</p>
Donate to Support Palletsurn:uuid:cd6381fb-f901-3847-9fed-7ff0f18130c52018-04-26T00:00:00ZDavid Lord<p>Pallets is excited to announce that we have joined the Python Software
Foundation's Fiscal Sponsorship program. As a non-profit organization,
the PSF will accept donations on behalf of Pallets into a dedicated
account.</p>
<p>Donations enable more attention from maintainers, which translates into
more time devoted to fixing bugs, developing features, and making
quicker releases. <a href="https://psfmember.org/civicrm/contribute/transact?reset=1&amp;id=20"><strong>Click here to donate today.</strong></a></p>
<p>The Pallets organization develops and supports Flask, Jinja, Werkzeug,
Click, and other Python libraries. These libraries power applications of
all sizes around the world, and are downloaded millions of times each
month. Despite their popularity, the projects are primarily maintained
by only a few developers. The goal of Pallets is to grow the community
around these projects to create a sustainable group of contributors and
users.</p>
<p>Your donation will help:</p>
<ul>
<li>Allow maintainers to devote more of their time to the projects.</li>
<li>Recognize outstanding contributors in the community.</li>
<li>Allow maintainers and community members to attend conferences.</li>
<li>Acquire infrastructure and developer tools.</li>
<li>Sponsor local meetup events.</li>
<li>And more!</li>
</ul>
<p>If you like the work we do, you may donate as an
individual. If your employer uses Flask or any of the Pallets projects,
reach out to them to donate.</p>
<p>Flask and the Pallets team depends on you, the community. We thank you
for all the contributions you've already made, and look forward to
growing the community even more.</p>
<p><a href="https://psfmember.org/civicrm/contribute/transact?reset=1&amp;id=20"><strong>Click here to donate today.</strong></a></p>
Flask 1.0 Releasedurn:uuid:698f25ee-4b82-34d5-99bb-2daa11b5ee532018-04-26T00:00:00ZDavid Lord<p>The Pallets team is pleased to release <a href="https://palletsprojects.com/p/flask/">Flask</a> 1.0.</p>
<p>The Flask framework has been stable for a long time. A little more than 8 years after the first commit, the version number finally reflects that. 1.0 comes with a significant number of changes representing over a year of work.</p>
<ul>
<li>Dropped support for Python 2.6 and 3.3.</li>
<li>The CLI is more flexible. <code>FLASK_APP</code> can point to an app factory, optionally with arguments. It understands import names in more cases where filenames were previously used. It automatically detects common filenames, app names, and factory names. <code>FLASK_ENV</code> describes the environment the app is running in, like <code>development</code>, and replaces <code>FLASK_DEBUG</code> in most cases. <a href="http://flask.pocoo.org/docs/1.0/cli/">See the docs to learn more.</a></li>
<li>If python-dotenv is installed, the <code>flask</code> CLI will load environment variables from <code>.flaskenv</code> and <code>.env</code> files rather than having to export them in each new terminal.</li>
<li>The development server is multi-threaded by default to handle concurrent requests during development.</li>
<li><code>flask.ext</code>, which was previously deprecated, is completely removed. Import extensions by their actual package names.</li>
<li>Accessing missing keys from <code>request.form</code> shows a more helpful error message in debug mode, addressing a very common source of confusion for developers.</li>
<li>Error handlers are looked up by code then exception class, on the blueprint then application. This gives more predictable control over handlers, including being able to handle <code>HTTPException</code>.</li>
<li>The behavior of <code>app.logger</code> has been greatly simplified and should be much easier to customize. The logger is always named <code>flask.app</code>, it only adds a handler if none are registered, and it never removes existing handlers. <a href="http://flask.pocoo.org/docs/1.0/logging/">See the docs to learn more.</a></li>
<li>The <code>test_client</code> gained a <code>json</code> argument for posting JSON data, and the <code>Response</code> object gained a <code>get_json</code> method to decode the data as JSON in tests.</li>
<li>A new <code>test_cli_runner</code> is added for testing an app's CLI commands.</li>
<li>Many documentation sections have been rewritten to improve clarity and relevance. This is an ongoing effort.</li>
<li>The <a href="http://flask.pocoo.org/docs/1.0/tutorial/">tutorial</a> and corresponding <a href="https://github.com/pallets/flask/tree/1.0/examples/tutorial">example</a> have been rewritten. They use a structured layout and go into more detail about each aspect in order to help new users avoid common issues and become comfortable with Flask.</li>
</ul>
<p>There are many more changes throughout the framework. <a href="http://flask.pocoo.org/docs/1.0/changelog/">Read the full changelog</a> to understand what changes may affect your code when upgrading.</p>
<h2 id="json-security-fix">JSON Security Fix</h2><p>Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.</p>
<p>Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.</p>
<h2 id="install-or-upgrade">Install or Upgrade</h2><p>Install from <a href="https://pypi.org/project/Flask/">PyPI</a> with pip:</p>
<pre><code>pip install -U Flask
</code></pre>
<h2 id="get-involved">Get Involved</h2><p>Flask and the Pallets team depends on you, the community. Whether you report issues, write documentation, create patches, or answer questions, we appreciate all the help you provide. Check out the <a href="https://github.com/pallets/flask/blob/master/CONTRIBUTING.rst">contributing guide</a> to get started.</p>
<h2 id="donate">Donate</h2><p>The Pallets organization has joined the Python Software Foundation's Fiscal Sponsorship program. We now accept donations through the PSF in order to support our efforts to maintain the projects and grow the community. <a href="https://psfmember.org/civicrm/contribute/transact?reset=1&amp;id=20">Click here to donate.</a></p>
Flask 0.12.3 Releasedurn:uuid:947c3b14-974f-3a96-a62e-a5773eebca762018-04-26T00:00:00ZDavid Lord<p>This release includes an important security fix for JSON and a minor backport for CLI support in PyCharm. It is provided for projects that cannot update to Flask 1.0 immediately. See the <a href="/blog/flask-1-0-released">1.0 announcement</a> and update to it instead if possible.</p>
<h2 id="json-security-fix">JSON Security Fix</h2><p>Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.</p>
<p>Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.</p>
<h2 id="upgrade">Upgrade</h2><p>Upgrade from <a href="https://pypi.org/project/Flask/">PyPI</a> with pip. Use a version identifier if you want to stay at 0.12:</p>
<pre><code>pip install -U Flask==0.12.3
</code></pre>
<p>Or upgrade to 1.0:</p>
<pre><code>pip install -U Flask
</code></pre>
Werkzeug 0.14 Releasedurn:uuid:5bdd82ab-4d5a-3720-b06a-75db36ad0c352017-12-31T00:00:00ZArmin Ronacher<p>The Pallets team is pleased to release <a href="/p/werkzeug">Werkzeug</a> 0.14. Changes include:</p>
<ul>
<li>Improved the usefulness of <code>Request.application</code> by automatically handling HTTP exceptions.</li>
<li>Added support for platforms that lack <code>SpooledTemporaryFile</code>. This primarily affects GAE users which were unable to use 0.13 due to this missing API.</li>
<li>Add support for etag handling through if-match</li>
<li>Added support for the SameSite cookie attribute along with better support for invalid cookies.</li>
<li>Added a HTTP proxying middleware (<code>werkzeug.wsgi.ProxyMiddleware</code>)</li>
<li>Various improvements for the reloader.</li>
<li>The built-in HTTP server will no longer close a connection in cases
where no HTTP body is expected (204, 204, HEAD requests etc.)</li>
<li>Werkzeug will no longer send the content-length header on 1xx or
204/304 responses.</li>
<li>Added support for static weights in URL rules.</li>
<li>Better handle some more complex reloader scenarios where sys.path
contained non directory paths.</li>
</ul>
<p><a href="http://werkzeug.pocoo.org/docs/latest/changes/#version-0-14">Read the full changelog.</a></p>
<h3 id="install-or-upgrade">Install or upgrade</h3><p>Install from <a href="https://pypi.org/project/Werkzeug/0.14/">PyPI</a> with pip:</p>
<pre><code>pip install -U Werkzeug
</code></pre>
<h3 id="get-involved">Get Involved</h3><p>Werkzeug and the Pallets team depends on you, the community. Whether you report issues, write documentation, create patches, or answer questions, we appreciate all the help you provide. We updated the <a href="https://github.com/pallets/werkzeug/blob/master/CONTRIBUTING.rst">contributing guide</a> to help make it easier to get started.</p>